Before we restart apache, we add the user to the ssl-cert group and provision for SUDO access.

adduser www-data ssl-cert

www-data Sudo Access for installation

For the web server to be able to install or compile software, access is required via SUDO. For this purpose, we will TEMPORARILY
be giving full root access to the web server by adding it to the 'sudo'
group and configuring SUDO to allow full access without a password to
the www-data user.

Again, this is a temporary step and will be reverted at the end of the installation.

If the above command does not provide a directory listing for /root(if the folder is empty only a . and .. will be displayed -- anything
but "permission denied" is okay), then your sudo configuration did not
work. Please retrace your steps and ensure sudo is configured properly
and working for the sudo group as required.

Note: When people tell you "it's stupid to run a web server as root", they are absolutely right. You should NEVER
be running a web service with root user privileges. We introduced this
temporary step only to ease the installation process. You must ensure
that SUDO provisioning for the www-data group is removed completely and
the sudoers file has no trace of the modifications we made.

You will be reminded of these steps at the end of the installation process.

Restart apache via:

/etc/init.d/apache2 restart

Ensure that the web service is listening to only port 80 of the given IP address:

apache2ctl -t -D DUMP_VHOSTS

Create Temporary Extract Folder

We will only run commands via SUDO where it is unavoidable. For all
other purposes, we will extract, compile and configure software as the
web user. To do this:

Enable logging for OpenLDAP

In case of any errors when populating OpenLDAP, enable logging by editing /etc/syslog.conf and adding:

local4.* -/var/log/slapd.log

Then restart sysklogd:

/etc/init.d/sysklogd restart

You should now see slapd messages in /var/log/slapd.log.

Web Based Installation

At this point we're ready for the web based installer to take over
for the most part. The web installer compiles Openldap, a few ldap
modules, heimdal and bind automatically. As such it may take it a while
to complete. In the future we would have packages for these but
currently compilation is the approach we have taken.